Vulnerability

    WebSPIRS

Affected

    WebSPIRS CGI 3.1 (at least)

Description

    Following is based on a  UkR security team advisory #1.   WebSPIRS
    is SilverPlatter's Information Retrieval System for the World Wide
    Web (WWW).   It is  a common  gateway interface  (CGI) application
    which  allows  any  forms-capable  browser,  such  as Netscape, to
    search  SilverPlatter  (SP)  Electronic  Reference  Library  (ERL)
    databases available over the Internet.

    Problem lyes in incorrect validation of user  submitted-by-browser
    information, that  can show  any file  of the  system where script
    installed.  Exploit:

        http://www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../path/to/file

Solution

    Wen you  try this  with WebSpirs  4.2 it  says, Security Violation
    Detected, Contact  your Systems  Administrator..   In WebSpirs 4.2
    the way we have it is, URL/dbname?sp.nextform=blah/blah/blah.  Now
    if you switch the dbname  with webspirs.cgi it comes back  with no
    data..  Using it as the  dbname?sp.nextform=../../../../etc/passwd
    gives a security violation message.